Information Exposure Through an External Behavioral Inconsistency| ID: 207 | Date: (C)2012-05-14 (M)2022-10-10 |
| Type: weakness | Status: DRAFT |
| Abstraction Type: Variant |
Description
The product behaves differently than other products like it, in
a way that is observable to an attacker and exposes security-relevant
information about which product is being used.
Applicable PlatformsLanguage Class: All
Time Of Introduction
- Architecture and Design
- Implementation
Common Consequences
| Scope | Technical Impact | Notes |
|---|
| ConfidentialityAccess_Control | Read application
dataBypass protection
mechanism | |
Detection MethodsNone
Potential Mitigations
| Phase | Strategy | Description | Effectiveness | Notes |
|---|
| | | Compartmentalize your system to have "safe" areas where trust
boundaries can be unambiguously drawn. Do not allow sensitive data to go
outside of the trust boundary and always be careful when interfacing
with a compartment outside of the safe area. | | |
| | | Setup generic response pages for error condition. The error page
should not disclose information about the success or failure of a
sensitive operation. For instance, the login page should not confirm
that the login is correct and the password incorrect. The attacker who
tries random account name may be able to guess some of them. Confirming
that the account exists would make the login page more susceptible to
brute force attack. | | |
Relationships
| Related CWE | Type | View | Chain |
|---|
| CWE-207 ChildOf CWE-895 | Category | CWE-888 | |
Demonstrative ExamplesNone
Observed Examples
- CVE-2002-0208 : Product modifies TCP/IP stack and ICMP error messages in unusual ways that show the product is in use.
- CVE-2004-2252 : Behavioral infoleak by responding to SYN-FIN packets.
- CVE-2000-1142 : Honeypot generates an error with a "pwd" command in a particular directory, allowing attacker to know they are in a honeypot system.
For more examples, refer to CVE relations in the bottom box.
White Box Definitions None
Black Box Definitions None
Taxynomy Mappings
| Taxynomy | Id | Name | Fit |
|---|
| PLOVER | | External behavioral inconsistency infoleak | |
References:None
